Code integrity check - sign in Node.js


Did somebody manage to produce a correct signature for the code integrity check of apps in Node.js? Having to do this in PHP with Nextcloud installed is a bit complicated, in my opinion…

I tried already but didn’t succeed so far, maybe I was using the wrong ciphers/hashes. (I’m no cryptography expert… :wink: )

I would say, you should be able to reproduce this by looking into the code. But, I wanted to warn you of something different: What happens if the hashing is changed at some point. You will only notice this once the original hasing has been removed. Then you are too late to fix it in a quick manner.

If you really wanted to do that, you can set up a development machine with xdebug configured and do a step-debugging of the relevant section while calculating the integrity. Then you can compare with te results of Node.
The problem might be the sorting and white spaces in the JSON string representation. So, compare carefully with the node results.

If you need help with the step debugging, feel free to ask.

Thanks for the quick answer. I already looked at the php code but it seems - like you said - that the json_encode function does something different than JSON.stringify. The problem is I do not really know howto debug a php script.

I can provide you with my dev setup. xdebug is ready to be used there.

The installation with the IDE might need some tweeking, in the meantime I am using VS code. Depending on your setup, I can provide steps how to start debugging. I need to know your editor then.

Then, you can just put a breakpoint at the appropriate location and see the intermediate values (or even put write the values to a file for persistence and automated checks).

Thanks for the link, nice repo btw. I already managed to get php debugging working and I realized that even for a simple string my signatures do not match, so I guess the algorithm is not the same in the first place…

1 Like

Have you validated the string representations are the same for Node and PHP?

I suspect with the correct settings (both on node and on PHP side) these should create valid certificates at least.
Keep in mind that the certificates contain the date, so signing the same certificate twice will in general not result in the same certificate. So, this might be the reason for your problem.

You will eventually have to write a small wrapper to test your self created certificates against the app code checker.